“TVSmiles” joins the vast division of entities that have left an unprotected AWS S3 bucket online and accessible by anyone with a web browser. The result of this is the leaking of 261 databases, containing 6.6 million rows and data entries, including 901,000 unique email addresses. All of the PII (personally identifiable information) was unencrypted, so the compromised users have been irreversibly exposed. The discovery of the data was the work of UpGuard researchers who located the bucket on May 8, 2020. TVSmiles was notified five days after that and secured the server within 24 hours.
TVSmiles is a German company that develops a mobile phone app to create “advertising-enhanced user experiences.” It combines ads, games, loyalty programs, rewards, etc. Users take quizzes on the app, receive targeted advertising, and win rewards for their participation. From a privacy perspective, TVSmiles is able to associate each user ID with the device it’s installed on, so profiling for purposes of more accurate ad targeting is openly done. The app is used by millions of people from the UK, Germany, and various other European countries. Unfortunately, the latest security incident affects a large portion of them.
Since the databases contained 306 GB of data, it took UpGuard a while to appreciate what has been leaked out there. Some databases contained device information, other entries revealed the user location, and some included email addresses and Facebook access tokens. Full names, dates of birth, phone numbers, passwords, and other sensitive information were also found in the databases. Some users didn’t provide a lot of data to the TVSmiles app, so not all data entries were equally rich. This is another reminder of why it’s important to give away any personal information with the pipette and provide fake identification - or ideally, nothing at all.
One of the databases contained a collection of “psychographic data” on the users, which serve as insights for targeted advertising. In there, one can find someone’s preferences in consumer goods and products of all kinds, their education level, and several esoteric interests that are deduced from the logging and analysis of various behavioral elements. This data was directly connected with the user’s real name, phone number, and geographic coordinates, so we’re basically talking about the worst-case scenario here. Remember, all of these apps claim to collect data in a manner that maintains the user’s anonymity, but lifting this superficial layer and connecting the data with real IDs is something that happens more often than not.